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Abstract 



^ I We devise a simple modification that essentially doubles the ef- 

' ficiency of the BB84 quantum key distribution scheme proposed by 

Bennett and Brassard. We also prove the security of our modified 
scheme against the most general eavesdropping attack that is allowed 
by the laws of physics. The first major ingredient of our scheme is 
the assignment of significantly different probabilities to the different 
polarization bases during both transmission and reception, thus reduc- 
ing the fraction of discarded data. A second major ingredient of our 
scheme is a refined analysis of accepted data: We divide the accepted 
data into various subsets according to the basis employed and esti- 
mate an error rate for each subset separately. We then show that such 
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a refined data analysis guarantees the security of our sclieme against 
the most general eavesdropping strategy, thus generalizing Shor and 
Preskill's proof of security of BB84 to our new scheme. Up till now, 
most proposed proofs of security of single-particle type quantum key 
distribution schemes have relied heavily upon the fact that the bases 
are chosen uniformly, randomly and independently. Our proof removes 
this symmetry requirement. 

Keywords: Quantum Cryptography, Quantum Key Distribution 

1 Introduction 

Since an encryption scheme is only as secure as its key, key distribution is 
a big problem in conventional cryptography. Public-key based key distribu- 
tion schemes such as the Diffie-Hellman scheme ^H] solve the key distribution 
problem by making computational assumptions such as that the discrete log- 
arithm problem is hard. However, unexpected future advances in algorithms 
and hardware (e.g., the construction of a quantum computer jSHlElI) may 
render many public-key based schemes insecure. Worse still, this would lead 
to a retroactive total security break with disastrous consequences. This is 
because an eavesdropper may save a message transmitted in the year 2003 
and wait for the invention of a new algorithm/hardware to decrypt the mes- 
sage decades later. A big problem in conventional public-key cryptography 
is that there is, in principle, nothing to prevent an eavesdropper with infinite 
computing power from passively monitoring the key distribution channel and 
thus successfully decoding any subsequent communication. 

Recently, there has been much interest in using quantum mechanics in 
cryptography. (The subject of quantum cryptography was started by S. Wies- 
ner jHOj in a paper that was written in about 1970 but remained unpublished 
until 1983. For reviews on the subject, see 0123 EH]-) The aim of quantum 
cryptography has always been to solve problems that are impossible from 
the perspective of conventional cryptography. This paper deals with quan- 
tum key distribution [H [TTl whose goal is to detect eavesdropping using 
the laws of physics.^ In quantum mechanics, measurement is not just a pas- 

^ Another class of applications of quantum cryptography has also been proposed |^ ll2j . 
Those applications are mainly based on quantum bit commitment and quantum one-out-of- 
two oblivious transfer. However, it is now known |48[l42lHni38| that unconditionally secure 
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sive, external process, but an integral part of the formalism. Indeed, thanks 
to the quantum no-cloning theorem fSl , passive monitoring of unknown 
transmitted signals is strictly forbidden in quantum mechanics. Moreover, 
an eavesdropper who is listening to a channel in an attempt to learn informa- 
tion about quantum states will almost always introduce disturbance in the 
transmitted quantum signals [7j. Such disturbance can be detected with high 
probability by the legitimate users. Alice and Bob will use the transmitted 
signals as a key for subsequent communications only when the security of 
quantum signals is established (from the low value of error rate). 

Although various QKD schemes have been proposed, the best-known one 
is still perhaps the first QKD scheme proposed by Bennett and Brassard and 
published in 1984 Their scheme, which is commonly known as the BB84 
scheme, will be briefly discussed in Sectional Here it suffices to note two of its 
characteristics. First, in BB84 each of the two users, Alice and Bob, chooses 
for each photon between two polarization bases randomly (that is, the choice 
of basis is a random variable), uniformly (that is, with equal probability) 
and independently. For this reason, half of the times they are using different 
basis, in which case the data are rejected immediately. Consequently, the 
efficiency of BB84 is at most 50%. Second, a simple-minded error analysis 
is performed in BB84. That is to say, all the accepted data (those that are 
encoded and decoded in the same basis) are lumped together and a single 
error rate is computed. 

In contrast, in our new scheme Alice and Bob choose between the two 
bases randomly, independently but not uniformly. In other words, the two 
bases are chosen with substantially different probabilities. As Alice and Bob 
are now much more likely to be using the same basis, the fraction of discarded 
data is greatly reduced, thus achieving a significant gain in efficiency. In 
fact, we are going to show in this paper that the efficiency of our scheme can 
be made asymptotically close to unity. (The so-called orthogonal quantum 
cryptographic schemes have also been proposed. They use only a single basis 
of communication and, according to Goldenberg, it is possible to use them 
to achieve efficiencies greater than 50% [221 • Since they are conceptually 
rather different from what we are proposing, we will not discuss them here.) 

Is the new scheme secure? If a simple-minded error analysis like the 

quantum bit commitment and unconditionally secure quantum one-out-of-two oblivious 
transfer are both impossible. Furthermore, other quantum cryptographic schemes such as 
a general two-party secure computation have also been shown to be insecure PHI ^] ■ For 
a review, see [T7] . 
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one that lumps all accepted data together were employed, an eavesdropper 
could easily break a scheme by eavesdropping mainly along the predominant 
basis. To ensure the security of our scheme, it is crucial to employ a refined 
data analysis. That is to say, the accepted data are further divided into two 
subsets according to the actual basis used by Ahce and Bob and the error rate 
of each subset is computed separately. We will argue in this paper that such 
a refined error analysis is sufficient in ensuring the security of our improved 
scheme, against the most general type of eavesdropping attack allowed by 
the laws of quantum physics. This is done by using the technique of Shor and 
Preskill's proof of security of BB84 — a proof that built on the earlier 
work of Lo and Chau jUj and of Mayers jlHl • 

Our scheme is worth studying for several reasons. First, unlike the 
entanglement-based QKD scheme proposed by Lo and Chau in Ref. jH], 
the implementation of our new scheme does not require a quantum com- 
puter. It only involves the preparation and measurement of single photons 
as in standard BB84. Second, none of the existing schemes based on non- 
orthogonal quantum cryptography has an efficiency more than 50%. (We 
shall say a few word on the so-called orthogonal quantum cryptography in 
Section ini) By showing in this paper that the efficiency of our new scheme 
can be made asymptotically close to 100%, we know that QKD can be made 
arbitrarily efficient. Our idea is rather general and can be applied to improve 
the efficiency of some other existing single particle based QKD schemes such 
as the six-state scheme jT2| ED])- Note that the efficiency of quantum cryp- 
tography is of practical importance because it may play an important role 
in deciding the feasibility of practical quantum cryptographic systems in any 
future application. Third, our scheme is one of the few QKD schemes whose 
security have been rigorously proven. Finally, all previous proofs of security 
seem to rely heavily on the fact that the two bases are chosen randomly and 
uniformly. Our proof shows that such a requirement is redundant. Another 
advantage of our security proof is that it does not depend on asymptotic 
argument and hence can be applied readily to realistic situation involving 
only a relatively small amount of quantum signal transmission. 

The organization of our paper is as follows. The basic features and the 
requirements of unconditional security will be reviewed in Section |21 In 
Section 01 we will review the BB84 scheme and Shor-Preskill proof for com- 
pleteness. Readers who are already familiar with the BB84 scheme and 
Shor-Preskill proof may browse through Section |21 and skip Section El An 
overview of our proof of security of an efficient QKD scheme will be given 
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in Section HI which is followed by Section El which ties up some loose ends. 
Finally, we give some concluding remarks in Section El 

2 Basic Features and Requirements of a 
Quantum Key Distribution Scheme 

2.1 basic procedure 

The aim of a QKD scheme is to allow two cooperative participants (commonly 
known as Alice and Bob) to establish a common secret key in the presence 
of noise and eavesdropper (commonly known as Eve) by exploiting the laws 
of quantum physics. More precisely, it is commonly assumed that Alice and 
Bob share a small amount of initial authentication information. The goal 
is then to expand such a small amount of authentication information into 
a long secure key. In almost all QKD schemes proposed so far, Alice and 
Bob are assumed to have access to a classical public unjammable channel as 
well as a quantum noisy insecure channel. That is to say, we assume that 
everyone, including the eavesdropper Eve, can listen to the conversations but 
cannot change the message that send through the public classical channel. 
In practice, an authenticated classical channel should suffice. On the other 
hand, the transmission of quantum signal can be done through free air 
HH El] or optical fibers 50, 59^ in practice. The present state-of-the-art 
quantum channel for QKD can transmit signals up to a rate of 4 x 10^ qubits 
per second over a distance of about 10 km with an error rate of a few percent 
[ElEniEni-^ The quantum channel is assumed to be insecure. That is to say 
that the eavesdropper is free to manipulate the signal transmitted through 
the quantum channel as long as such manipulation is allowed by the known 
laws of physics. 

^In experimental implementations, coherent states with a Poisson distribution in the 
number of photons are often employed. To achieve unconditional security, it is important 
that the operational parameters are chosen such that the fraction of multi-photon signals 
is sufficiently small. This may substantially reduce the key generation rateP3I- the 
current paper, we restrict our attention to perfect single photon signals as assumed in 
standard BB84 and various security proofs. 
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Using the above two channels, procedures in all secure QKD schemes we 
know of to date can be divided into the following three stages: 

1. Signal Preparation And Transmission Stage: Alice and Bob separately 
prepare a number of classical and quantum signals. They may keep 
some of them private and transmit the rest to the other party using 
the secure classical and insecure quantum channels. They may iterate 
the signal preparation and transmission process a few times. 

2. Signal Quality Check Stage: Alice and Bob then (use their private in- 
formation retained in the signal preparation and transmission stage, 
the secure classical channel and their own quantum measurement ap- 
paratus to) test the fidelity of their exchanged quantum signals that 
have just been transmitted through the insecure and noisy quantum 
channel. Since a quantum measurement is an irreversible process some 
quantum signals are consumed in this signal quality check stage. The 
aim of their test is to estimate the noise and hence the upper bound 
for the eavesdropping level of the channel from the sample of quantum 
signals they have measured. In other words, the process is conceptually 
the same as a typical quantity control test in a production line — to 
test the quality of products by means of destructive random sampling 
tests. Alice and Bob abort and start all over again in case they believe 
from the result of their tests that the fidelity of the remaining quan- 
tum signal is not high enough. Alice and Bob proceed to the final stage 
only if they believe from the result of their tests that the fidelity of the 
remaining quantum signal is high. 

3. Signal Error Correction and Privacy Amplification Stage: Alice and 
Bob need to correct errors in their remaining signals. Moreover, they 
would like to remove any residual information Eve might still have on 
the signals. In other words, Ahce and Bob would hke to distill from 
the remaining untested quantum signals a smaller set of almost perfect 
signals without being eavesdropped or corrupted by noise. We call this 
process privacy amplification. Finally, Alice and Bob make use of these 
distilled signals to generate their secret shared key. 
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2.2 security requirement 

A QKD scheme is said to be secure if, for any eavesdropping strategy by Eve, 
either a) it is highly unhkely that the state will pass Alice and Bob's quality 
check stage or b) with a high probability that Alice and Bob will share the 
same key, which is essentially random and, furthermore. Eve has a negligible 
amount of information on their shared key.^ 

3 Bennett and Brassard's Scheme (BB84) 

3.1 Basic idea of the BB84 scheme 

We now briefly review the basic ingredients of the BB84 scheme and the 
ideas behind its security. Readers who are already familiar with BB84 and 
the Shor-Preskill proof may choose to skip this section to go directly to our 
biased scheme in Section 4. In BB84 4J, Alice prepares and transmits to Bob 
a batch of photons each of which is independently in one of the four possible 
polarizations: horizontal (0°), vertical (90°), 45° and 135°. For each photon. 
Bob randomly picks one of the two (rectilinear or diagonal) bases to perform 
a measurement. While the measurement outcomes are kept secret by Bob, 
Alice and Bob publicly compare their bases. They keep only the polarization 
data that are transmitted and received in the same basis. Notice that, in 
the absence of noises and eavesdropping interference, those polarization data 
should agree. This completes the signal preparation and transmission stage 
of the BB84 scheme. We remark that the laws of quantum physics strictly 
forbid Eve to distinguish between the four possibilities with certainty. This 
is because the two polarization bases, namely rectilinear and diagonal, are 
complementary observables and quantum mechanics forbids the simultane- 
ous determination of the eigenvalues of complementary observables.^ More 

■^Naively, one might think that the security requirement should simply be: conditional 
on passing the quality check stage, Eve has a negligible amount of information on the key. 
However, such a strong security requirement is, in fact, impossible to achieve |49l 144) . The 
point is that a determined eavesdropper can always replace all the quantum signals from 
Alice by some specific state prepared by herself. Such a strategy will most likely fail in the 
quality check. But, if it is lucky enough to pass, then Eve will have perfect information 
on the key shared by Alice and Bob. 

^Mathematically, observables in quantum mechanics are represented by Hermitian 
matrices. Complementary observables are represented by non-commuting matrices and, 
therefore, cannot be simultaneously diagonalized. Consequently, their simultaneous eigen- 
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importantly, any eavesdropping attack will lead to a disagreement in the 
polarization data between Alice and Bob, which can be detected by them 
through public classical discussion. More concretely, to test for tampering 
in the signal quality check stage, Alice and Bob choose a random subset of 
the transmitted photons and publicly compare their polarization data. If 
the quantum bit error rate (that is, the fraction of polarization data that 
disagree) is unreasonably large, they throw away all polarization data and 
start all over again. On the other hand, if the quantum bit error rate is 
acceptably small, they should then move on to the signal error correction 
and privacy amplification stage by performing public classical discussion to 
correct remaining errors. 

Proving security of a QKD scheme turned out to be a very tricky busi- 
ness. The problem is that, in principle. Eve may have a quantum computer. 
Therefore, she could employ a highly sophisticated eavesdropping attack by 
entangling all the quantum signals transmitted by Alice. Moreover, she could 
wait to hear the subsequent classical discussion between Alice and Bob during 
both the signal quality check and the error correction and privacy amplifi- 
cation stages before making any measurement on her system.^ One class of 
proofs by Mayers jlHI and subsequently others CHI proved the security 
of the standard BB84 directly. Those proofs are relatively complex. An- 
other approach by Lo and Chau [33 HI] dealt with schemes that are based 
on quantum error- correcting codes. It has the advantage of being concep- 
tually simpler, but requires a quantum computer to implement. These two 
classes of proofs have been linked up by the recent seminal work of Shor and 
Preskill |5^, who provided a simple proof of security of the BB84 scheme. 
They showed that an eavesdropper is no better off with standard BB84 than 
a QKD scheme based on a specific class of quantum error- correcting codes. 
So long as from Eve's view, Alice and Bob could have performed the key 
generation by using their quantum computers, one can bound Eve's infor- 
mation on the key. It does not matter that Alice and Bob did not really use 
quantum computers. 

vectors generally do not exist. 

^As demonstrated by the well-known Einstein-Podolsky- Rosen paradox, classical intu- 
itions generally do not apply to quantum mechanics. This is a reason why proving security 
of QKD is hard. 
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3.2 entanglement purification 



To recapitulate Shor and Preskill's proof, we shall first introduce a QKD 
scheme based on entanglement purification and prove its security. Our dis- 
cussion in the next few subsections essentially combines those of Shor and 
Preskillj^n] and Gottesman and Preskill[28j.^ 

Entanglement purification was first proposed by Bennett, DiVincenzo, 
Smolin and Wootters (BDSW) jH] . Its application to QKD was first proposed 
by Deutsch et al. [20] • A convincing proof of security based on entanglement 
purification was presented by Lo and Chau . Finally, Shor and Preskill (53] 
noted its connection to BB84. 

Suppose two distant observers, Alice and Bob, share n impure EPR pairs. 
That is to say, some noisy version of the state 

|<|)W) = 1$+)®"' (1) 

where 1$+) = ^(|00) + |11)). They may wish to distill out a smaller number, 
say fc, pairs of perfect EPR pairs, by applying only classical communications 
and local operations. This process is called entanglement purification [S]. 
Suppose they succeed in generating k perfect EPR pairs. By measuring the 
resulting EPR pairs along a common axis, Alice and Bob can obtain a secure 
k-hit key. 

Of course, a quality check stage must be added in QKD to guarantee 
the likely success of the entanglement purification procedure (for any eaves- 
dropping attack that will pass the quality check stage with a non-negligible 
probability). A simple quality check procedure is for Alice and Bob to take 
a random sample of the pairs and measure each of them randomly along 

^There are some subtle differences between the original Shor and Preskill's proof and 
the one elaborated by Gottesman and Preskill. First, in the original Shor and Preskill's 
proof, Alice and Bob apply a simple-minded error rate estimation procedure in which they 
lump all polarization data of their test sample together into a single set and compute 
a single bit error rate. In contrast, in Gottesman and Preskill's elaboration, Alice and 
Bob separate the polarization data according to the bases in which they are transmitted 
and received. The two bit error rates for the rectilinear and diagonal bases are computed 
separately. In essence, they are employing the refined data analysis idea, which was 
first presented in a preliminary version of this manuscript |45j . Second, in Gottesman 
and Preskill's discussion, the final key is generated by measuring along a single basis, 
namely the Z-basis. (Because of this prescription, they call the error rates of the two 
bases simply bit-flip and phase errors. To avoid any potential confusion, we will not use 
their terminology here.) In contrast, in Shor and Preskill's original proof, the final key is 
generated from polarization data obtained in both bases. 
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either X or Z axis and compute the bit error rate (i.e., the fraction in which 
the answer differs from what is expected from an EPR pair). Suppose they 
find the bit error rates for the X and Z bases of the sample to be px and 
pz respectively. For a sufficiently large sample size, the properties of the 
sample provide good approximations to those of the population. Therefore, 
provided that the entanglement purification protocol that they employ can 
tolerate slightly more than px and pz errors in the two bases, we would expect 
that their QKD scheme is secure. This point will be proven in subsequent 
discussions in subsection 13.31 

Let us introduce some notations. 

Definition: Pauli operators. We define a Pauli operator acting on n qubits 
to be a tensor product of individual qubit operators that are of the form 

'<i j>--a (J -i> 

For example, V = X^I^Y^Z is a Pauli operator. 

We shall consider entanglement purification protocols that can be con- 
veniently described by stabilizers^^ |21]. A stabilizer is an Abelian group 
whose generators, Mj's, are Pauli operators. 

Consider a fixed but arbitrary [[n, k, d]] stabilizer-based quantum error- 
correcting code (QECC). The notation [[n, A;,(i]] means that it encodes k 
logical qubits into n physical qubits with a minimum distance d. As noted 
in [SI, the encoding and decoding procedure of Alice and Bob can be equiv- 
alently described by a set of Pauli operators, Mj, with both Alice and Bob 
measuring the same operator Mj. To generate the final key from the en- 
coded qubits, Alice and Bob eventually apply a set of operators, say Za,A 
and Za,B respectively, for a = 1, 2, ■ ■ ■ , fc. In Shor and Preskill's proof, all 
Alice's (Bob's respectively) operators commute with each other. 

If the n EPR pairs were perfect, Alice and Bob would obtain identical 
outcomes for their measurements, Mi^A and Mi^B- Moreover, because of the 
commutability of the operators, those measurements would not disturb the 
encoded operations, Za^A ® Za,B, each of which will give +1 as its eigenvalue 
for the state of n perfect EPR pairs. This is because measurements ^ and 
Za,B produce the same or —1 eigenvalues. 

What about n noisy EPR pairs? Suppose Alice and Bob broadcast their 
measurement outcomes for Mi^A and Mi^B respectively. The product of their 
measurement outcomes of M^.a and Mi^s gives the error syndrome of the 
state, which is now noisy. Since the original QECC can correct up to t = 
L^^J errors, intuitively, provided that the number of bit-flip and phase error 
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errors are each less than t, Ahce and Bob will successfully correct the state 
to obtain the k encoded EPR pairs. Now, they can measure the encoded 
operations Z^^a ® Za,B to obtain a secure k-hit key. 

3.3 Reduction to Pauli strategy 

Definition: Correlated Pauli strategy. Recall that a Pauli operator acting on 
n qubits is defined to be a tensor product of individual qubit operators that 
are of the form /, X, Y and Z. We define a correlated Pauli strategy, (Vi, qt), 
to be one in which Eve applies only Pauli operators. That is to say that Eve 
applies a Pauli operator Vi with a probability g^. 

The argument in the last subsection is precise only for a specific class of 
eavesdropping strategies, namely the class of correlated Pauli strategies. In 
this case, the numbers of bit-flip and phase errors are, indeed, well-defined. 
What about a general eavesdropping attack? In general, Alice and Bob's 
system is entangled with Eve's system. Does it still make any sense to say 
that Alice and Bob's system has no more than t bit-flip errors and no more 
than t phase errors? Surprisingly, it does. Instead of having to consider all 
possible eavesdropping strategies by Eve, it turns out that it is sufficient to 
consider the Pauli strategy defined above. In other words, one can assume 
that Eve has applied some Pauli operators, i.e., tensor products of single- 
qubit identities and Pauli matrices, on the transmitted signals with some 
classical probability distribution. More precisely, it can be shown that the 
fidelity of the recovered k EPR pairs is at least as big as the probability that 
i) t or fewer bit-flip errors and ii) t or fewer phase errors would have been 
found if a Bell-measurement had been performed on the n pairs. 

Mathematically, the insight can be stated as the following theorem: 
Theorem 1 (from f28l I55|, 144] ): Suppose Alice and Bob share a bipar- 
tite state of n pairs of qubits and they execute a stabilizer-based entanglement 
purification procedure that can be described by the measurement operators, 
Mi, with both Alice and Bob measuring the same Mj. Suppose further that 
the procedure leads to a [[n, k, d]] QECC which corrects t = [^-^\ bit-flip 
errors and also t phase errors. Then, the fidelity of the recovered state, after 
error correction, as k EPR pairs 

F= (<|(^')|Pr|<|(^')) >Tr(nsp). (2) 

Here, ^^''^ is the encoded state of k EPR pairs, is the density matrix of 
the recovered state after quantum error correction, p is the density matrix 
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of the n EPR pairs before error correction and lis represents the projection 
operator into the Hilbcrt space, called TYgoodi which is spanned by Bell pairs 
states that differ from n EPR pairs in no more than t bit-flip errors and also 
no more than t phase errors. 
Proof of Theorem 1: 

One can regard p as the reduced density matrix of some pure state \^)se 
which describes the state of the system, S and an ancilla (the environment, 

outside Alice and Bob's control). Now, in the recovery procedure, Alice 
and Bob couple some auxiliary reservoir, R, prepared in some arbitrary initial 
state, |0)k, to the system. Initially, let us decompose the pure state \^)se® 
\Q)r into a "good" component and a "bad" component, where the good 
component is defined as: 

\^good) = ® Ier)\^)sE ® |0)r (3) 

and the bad component is given by: 

I^U = {{h - ns) ® Ier)\'^)se ® |0)r. (4) 

Now, the recovery procedure will map the two components. \^ good) and 
\^bad)-i unitarily into \^'good) ^'^'^ \^bad)- Since the recovery procedure works 
perfectly in the subspace, Tigood, we have 

W,ood)-\^^''^)s®\3unk)ER. (5) 
Let us consider the norm of the good component: 

^ good\^ good) ~ good\^ good) 

= Tr(n5p). (6) 
Now, the fidehty of the final state as an fc-EPR pairs is given by: 

F = ser{'^'\[\^^''^)s s{^^''^)®IerW)ser (7) 

— SER (Koodl {\^^'^)ss{^^'^\)®lER\^',ood) SER 
+ SER{%ad\ Si^^'^l) ® lER\%ad) SER 

+ SER{%ood\ {\^^'^)S s{^^''^\)®lER\%ad)sER 

+ SER{%ad\ {\^^'^)S Si^^'^l) ® lER\%ood)sER (8) 
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SER 

+ SER{'^'good\%ad)sER 

+ SERi^'badl^'good) SER (9) 

+ SER{%ad\ (l*^'^)5 Si^^'^l) ® lER\%ad)sER (10) 

> Tr(nsp) (11) 

where the orthogonahty of the states, \'^'good)sER and \'^bad)sER, is used in 

Eq. (Uni). Q.E.D. 



3.4 quality check procedure 

In the last subsection, we showed that, provided that a Bell measurement, 
if had been performed, would have shown that the numbers of bit-flip errors 
and phase errors are both no more than t, Alice and Bob will succeed in 
generating a secure key. In reality, there is no way for two distant observers, 
Alice and Bob, to verify such a condition directly. Fortunately, Alice and 
Bob can perform some quality check procedure by randomly sampling their 
pairs. We have the following Proposition: 

Proposition 1 ( |44] . particularly, its supplementary notes VI): 
Suppose Alice prepares N EPR pairs and sends a half of each pair to Bob via 
a noisy channel (perhaps controlled by Eve). Alice and Bob may randomly 
select m of those pairs and perform a random measurement along either the 
X or the Z axis. Suppose, for the moment, that they compute the bit error 
rates of the tested sample in the two bases separately, thus obtaining p^'"^'^ 
and p'^^"^P^'^_ Then, these two error rates are good estimates of those of the 
population (and therefore, also the remaining untested pairs). In particular, 
one can apply classical random sampling theory to estimate confidence levels 
for the error rates in the two bases for the population (and thus the untested 
pairs). 

Proof of Proposition 1: Let us summarize the overall strategy of the proof. 
One imagines applying the mathematical operation of Bell measurements on 
the N imperfect EPR pairs before the error correction procedure, but after 
Eve's eavesdropping. Consider the resulting state. It could have been ob- 
tained by a different eavesdropping strategy on the part of Eve, which applies 
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Pauli operators to the N-EPR-pair state with some probabihty distribution. 
FinaUy, it suffices to consider only this hmited class of eavesdropping strate- 
gies. 

Let us consider the state of the EPR pairs after Eve's eavesdropping at- 
tack. For each of the m tested pair along the Z-basis, consider the projection 
operators, P|j'^ and Panu-w coarse-grained outcomes (parallel and 

anti-parallel) of the measurement performed on the i-th pair. Specifically, 

/^i'" = |00),(00|,+ |11),(11|, 

= + (12) 

P'al-w = |01).(01|,+ |10),(10|, 

= |^+),(^+|, + |^-),(^-|,, (13) 

where = -j^dOO) ± |11)) and = 75(101) ± |10)). 

Similarly, for each of the m test pair along the X-axis, consider the pro- 
jection operators, P^'^ and -Pa^tj_||, for the two coarse-grained outcomes (par- 
allel and anti-parallel) of the measurement performed on the k-th tested pair. 
Namely, 

^if'" = \mk + \i)k)®mk + \i)k)mk + {Mk)®mk+{i\k) 

+^{\0)k - \l)k) ® (|0)ik - |l)fe)((0|fe - (life) {{0\k - {l\k) 
= (14) 

Panti-w = \mk+\i)k)®mk-\i)kmk+{i\k)®mk-{i\k) 

+^{\o)k + \i)k) ® (|o)fe - |i)fe)((ou + (Ik) ((o|fc - (life) 

= |$-)fe($-|fe + |^-)fe(*-|fe. (15) 

The above four equations clearly show that using local operations and 
classical communications only (LOCCs), Alice and Bob can effectively per- 
form a coarse-grained Bell's measurement with these four projection opera- 
tors. 

Now, consider the operator, Mb, which represents a complete measure- 
ment along A^-BeU basis. Since Mb, Pn'"", P'anti-w^ -^f'^ ^^^^ 
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to a single basis (namely, the iV-Bell basis), they clearly commute with each 
other. Therefore, they can be simultaneously diagonalized. Thus, a pre- 
measurement Mb by say Eve will in no way change the outcome for -F||'^, 

Panti-\\y ^\\'^ ^anu-\\- Therefore, we may as well consider the case when 
such a pre-measurement is performed. By doing so, we have reduced the 
most general eavesdropping strategy to a restricted class that involves only 
Pauli operators. Consequently, the problem of estimation of the error rates 
of the two bases is classical. Q.E.D. 

We emphasize that the key insight of Proposition 1 is the "commuting 
observables" idea: Consider the set of Bell measurements, X®X and Z ^Z, 
on all pairs of qubits. All such Bell measurements commute with each other. 
Therefore, without any loss of generality, we can assign classical probabilities 
to their simultaneous eigenstates and perform classical statistical analysis. 
This greatly simplifies the analysis. 

More concretely, provided that total number of the EPR pairs goes to 
infinity, the classical de Finetti's theorem applies to the random test sample 
of m pairs. Moreover, for a sufficiently large A^, it is common in classical 
statistical theory to assume a normal distribution and use it to estimate 
the mean of the population and establish confidence levels. Therefore, with 
a high confidence level, for the remaining untested pairs, the error rates 

^untested < ^sample ^ ^ ^untested ^ ^sample ^ ^_ 

The next question is: how do the two error rates (for the X and Z 
bases) relate to the bit-flip and phase errors in the underlying quantum error 
correcting code? Suppose, as in our discussion so far, Alice and Bob generate 
their final key by measuring along the Z-axis only. In this case, it should not 
be hard to see that the bit-fiip error has an error rate p^'^*^**'^'^ and the phase 
error has an error rate p^*^'^*^'^. 

However, in BB84, it is common practice to allow Alice and Bob to gener- 
ate the key by measuring each pair along either the X or Z-axis with uniform 
probabilities. Mathematically, as discussed in [23 EH] 5 this is equivalent to 
Alice's applying either i) a Hadamard transform or ii) an identity operator 
to the qubit before sending it to Bob. Therefore, in this case, it should not 
be too hard to see that the bit-fiip error is given by the averaged error rate 
^pimtested pimtestedy2 of the two bases. Similarly, the phase error rate is 
given by the same expression. For this reason, it is, in fact, unnecessary in 
Shor and Preskill's proof for Alice and Bob to compute the two error rates 
separately. In other words, a simple-minded error analysis in which they 
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lump all polarization data (from both rectilinear or diagonal bases) together 
and compute a single sample bit error rate, call it e'^°-"^p^'^ is sufficient for the 
quality check stage. 

Now, suppose a QECC [[n, k, d]] is chosen such that the maximal tolerable 
error rate, e"*"^' = ^ = > ^sample _|_ Then, for any eavesdropping 

strategy that will pass the quality check stage with a non-negligible proba- 
bility, it is most likely that the remaining untested n EPR pairs will have less 
then t bit-flip errors and also less than t phase errors. Therefore, the error 
correction will most likely succeed and Alice and Bob will share a fc-EPR-pair 
state with high fidelity. 

The following theorem shows that once Alice and Bob share a high fidelity 
/c-EPR-pair state, then they can generate a key such that the eavesdropper's 
mutual information is very small. 

Theorem 2 (IS]): Suppose two distant observers, Alice and Bob, share 
a high fidelity /c-EPR-pair state, p, such that ($'^'^)|p|<l>'^'^)) > 1 — 5 where 
(5^1 and they generate a key by measuring the state along say the Z-axis, 
then the eavesdropper's mutual information on the key is bounded by 

S{p) < -{1-6) \og,{l-6)-6log, ^^J_ = 6x + 2k + log,{l /6)y 0(6'). 

(16) 

Proof: Let us recapitulate the proof presented in Section II of supple- 
mentary material of j33] . The proof consists of two Lemmas. Lemma A says 
that high fidelity implies low entropy. Lemma B says that the entropy is a 
bound to the eavesdropper's mutual information with Alice and Bob. 

More concretely. Lemma A says the following: If (^^'^^ |p|$*^'^^) > 1 — 5 
where 5 <^ 1, then the von Neumann entropy satisfies S{p) < —{1—6) log2(l — 
6)-6\og2 (22/_i) - Proof of Lemma A: If (^(''^Ipl > 1-5, then the largest 
eigenvalue of the density matrix p must be larger than 1 — 6. Therefore, the 
entropy of p is, bounded above by that of a density matrix, po = diag{l — 
6, (22Fri) 5 (22fc^_i) , ■ ■ ■ , which has an entropy -(1 - 6) log2(l - 6) - 

(^log2 (22FrT)- 

Lemma B, which is a corollary of Holevo's theorem PU], says the following: 
Given any pure state (pA'B' of a system consisting of two subsystems. A' and 
B', and any generalized measurements X and Y on A' and B' respectively, the 
entropy of each subsystem S{pA') (where pA' is the reduced density matrix, 
TrB'\(pA'B'){4>A'B'\) is an upper bound to the amount of mutual information 
between X' and Y'. 
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Now, Suppose Alice and Bob share a bipartite state pab of fidelity 1 — 5 
to k EPR pairs. By applying Lemma A, one shows that the entropy of pab 
is bounded by S{p) < -(1 - 5) log2(l - 5) - 6\og2 j^^?^- 

Let us now introduce Eve to the picture and consider the system con- 
sisting of the subsystem, A', of Eve and the subsystem, 5', of combined 
Alice-Bob. (i.e., B' = AB.) Let us consider the most favorable situation 
for Eve where she has perfect control over the environment. In this case, 
the overall (Alice-Bob-Eve) system wavefunction can be described by a pure 
state, (pA'B' where Eve controls A' and the combined Alice-Bob controls B'. 
By Lemma B, Eve's mutual information with Alice-Bob's system is bounded 
by (1 - 5) log2(l - 5) -6\og, Q.E.D. 

Remark 1: It is not too hard to see that Alice and Bob will most likely 
share a common key that is essentially random in the above procedure. 

Remark 2: Suppose we limit the eavesdropper's information, I^ve^ to be 
less than e. Theorem 2 shows that, as the length, k of the final key increases, 
the allowed infidelity, 5, of the state must decrease at least as 0{l/k). 

3.5 reduction to BB84 

Shor and Preskill considered a special class of quantum error correcting codes, 
namely Calderbank-Shor-Steane (CSS) codes. They showed that a QKD that 
employs an entanglement purification protocol (EPF) based on a CSS code 
can be reduced to BB84. Let us follow their arguments in two steps. 

3.5.1 from entanglement purification protocol to quantum error- 
correcting code protocol 

From the work of BDSW [S|, it is well known that any entanglement purifica- 
tion protocol with only one-way classical communications can be converted 
into a quantum error- correcting code. Shor and Preskill applied this result to 
an EPP-based QKD scheme. Let us recapitulate the procedure of an EPP- 
based QKD scheme. Alice creates N EPR pairs and sends half of each pair to 
Bob. She then measures the check bits and compares them with Bob. If the 
error rate is not too high, Alice then measures Mi^A and publicly announces 
the outcomes to Bob, who measures Mj^^. This allows Alice and Bob to cor- 
rect errors and distill out k perfect EPR pairs. Alice and Bob then measure 
Za,A and Za,B, the encoded Z operators, to generate the key. 
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Note that, by locality, it does not matter whether Alice measures the 
check bits before or after she transmits halves of EPR pairs to Bob. Similarly, 
it does not matter whether Alice measures her syndrome (i.e., the stabilizer 
elements, Mi^a) before or after the transmission. Now, if she measures her 
check bits before the transmission, it is equivalent to choosing a random BB84 
state, |0), 1+) = ^(|0) + |1)), I-) = ^(|0) - |1)). If Alice measures her 
syndromes before the transmission, it is equivalent to encoding halves of k 
EPR pairs in an [[n, k, d]] QECC, C^^, and sending them to Bob, where 
is the corresponding quantum code for the syndrome, Sa, she found. 

Finally, suppose Alice measures her halves of the encoded k EPR pairs 
before the transmission, it is equivalent to Alice preparing one of the 2^ 
mutually orthogonal codeword states in the quantum code, C^^, to represent 
a fc-bit key and sending the state to Bob. In summary, the above discussion 
reduces a QKD protocol based on EPP to a QKD protocol based on a class 
of [[n,k,d]] QECC, C.^'s. 

3.5.2 from error-correcting protocol to BB84 

So far, we have not specified which class of QECCs to employ. Notice that, 
for a general QECC, the QECC protocol still requires quantum computers 
to implement (for example, the operators Mj^^). Here comes a key insight 
of Shor and Preskill: If one employs Calderbank-Shor-Steane (CSS) codes 
I37j . then the scheme can be further reduced to standard BB84, which 
can be implemented without a quantum computer. CSS codes have the nice 
property that the bit-flip and phase error correction procedures are totally 
decoupled from each other. In other words, the error syndrome is of the 
form of a pair {sb, Sp) where, Sb and Sp are respectively the bit-flip and phase 
error syndrome. Without quantum computers, there is no way for Alice and 
Bob to compute the phase error syndrome, Sp. However, this is not really a 
problem because phase errors do not change the value of the final key, which 
is all that Alice and Bob are interested in. For this reason, Alice and Bob 
can basically drop the phase-error correction procedure. 

Let us first introduce the CSS code. Consider two classical binary codes, 
Ci and C2, such that, 

{0} C C Ci C F^, (17) 

where is the binary vector space of the n bits and that both Ci and (7^, 
the dual of C2, have a minimal distance, d = 2t + 1, for some integer, t. The 
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basis vectors of a CSS code, C, are: 



^ ^ IV^(^)) = ^^72 E 1^ + ^)' (18) 

where v E Ci. Note that, whenever vi — V2 G C2, they are mapped to 
the same state. In fact, the basis vectors are in one-one correspondence 
with the cosets of C2 in Ci. The dimension of a CSS code is 2'^ where 
k = dim{Ci) — dim{C2)- In standard QECC convention, the CSS code is 
denoted as an [[n, k, d]] QECC. 

One can also construct a whole class of CSS codes, Cz,x, from C, where 
the basis vectors of Cz^x are of the form 

V - mv)z,x) = E + W + Z), (19) 

where v G Ci7 

Let us introduce some notation. Recall the definition of Pauli matrices. 
The operator cr^ corresponds to a bit-flip error, o"^ a phase error and ay a 
combination of both bit-flip and phase errors. It is convenient to denote the 
Pauh operator acting on the k-th qubit by (Ta(k) where, a G {x,y,z}. Given 
a binary vector s G F2, let 

^l'^=<h®<h^---<iny (20) 

By definition, the eigenvalues of crW are -|-1 and —1. 

Let Hi be the parity check matrix for the code Ci and H2 be the par- 
ity check matrix for C^. For each row, r G Hi, consider an operator, a^j'^. 
Applying to a quantum state, their simultaneous eigenvalues give the bit-flip 
error syndrome. For each row, s E H2, consider an operator, cjW. Applying 
to a quantum state, their simultaneous eigenvalues give the phase error syn- 
drome. For instance, when applied to the state, ip{v) in Eq. (fT^ . we find the 
bit-flip error syndrome, Sb, and the phase error syndrome, Sp to be: 

Sb = Hi{z), Sp = H2{x). (21) 



^Note that our notation is different from both Refs. [SHI and |2H| in that we have 
interchanged x and z in Eq. (|f 9|l as well as in the definition of Cz^x- In our notation, z 
denotes the bit-flip error syndrome and x denotes the phase error syndrome. 
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Let us look at the QECC-based QKD scheme as a whole. Alice is sup- 
posed to pick a random vector v E Ci, random xa and za and encode it as 
\4'{v)z^,xa)- After Bob's acknowledgement of his receipt of the state, Alice 
then announces the values of xa and za to Bob. Bob measures the state and 
obtains his own syndrome, the values of and zb- The relative syndrome, 
the values of x and zaX zb, is the actual error syndrome of the channel. 
Bob then corrects the errors and measures along the 2;-axis to obtain a string 
V + w + Za for some w E C2- He then subtracts xa to obtain v + w. Finally, 
Bob apphes the generator matrix*, G2, of the dual code (i.e., the parity 
check matrix of the code C2) to generate the key, 

G2{v + w) = G2{v) + G2{w) = G2{v). (22) 

Notice that the key is in one-one correspondence with the coset G2 in Gi 
because of the mapping G2{v) v + 6*2.^ 

Here comes the key point: Since Bob measures along the z-axis to gen- 
erate the key, the phase errors really do not change the value of the key. 
Therefore, it is not necessary for Alice to announce the phase error syn- 
drome, Xa, to Bob. Therefore, without affecting the security of the scheme, 
Alice is allowed to prepare a state 4'{v)za,xa then discard, rather than 
broadcast the value of xa- Equivalently, she is allowed to prepare an averaged 
state 4'{v)zA,XA ovsr all values of xa- The averaging operation destroys the 
phase coherence and, from Eq. (fT^. leads to a classical mixture of \v+w + za) 
in the z-basis. 

As a whole, the error correction/privacy amplification procedure for the 
resulting BB84 QKD scheme goes as follows: Alice sends \u) to Bob through 
a quantum channel. Bob obtains u + e due to channel errors. Alice later 
broadcasts u + v, for a random v E Gi. Bob subtracts it from his received 
string to obtain v + e. He corrects the errors using the code Gi to obtain a 
codeword, v E Gi. He then applies the matrix, G2, to generate the final key 
G2{v), which is in one-one correspondence with a coset of G2 in Gi. 

Remark 3: Upon reduction from CSS code to BB84, the original bit-fiip 
error correction procedure of Gi becomes a classical error correction proce- 
dure. On the other hand, the phase error correction procedure becomes a 
privacy amplification procedure. (And, it is achieved by extracting the coset 
of G2 in Gi by using the generator matrix, G2, of the dual code C^.) 

^Gottesman and Preskill's paper stated that the parity check matrix, H2, of the dual 
code C2 should be used. But, it should really be the generator matrix. 
^This is a well-known result in classical coding theory. 
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Remark 4'- Note that the crux of this reduction is to demonstrate that 
Eve's view in the original EPP picture can be made to be exactly the same 
as in BB84. Therefore, the fact that Alice and Bob could have executed 
their QKD with quantum computers is sufficient to guarantee the security 
of QKD. They do not actually need quantum computers in the actual exe- 
cution. Another way to saying what is going on is that Alice and Bob are 
allowed to throw away the phase error syndrome information without weak- 
ening security. By throwing such phase error syndrome away, the scheme 
becomes implementable with only classical computers, and, therefore, does 
not require quantum computers. 

3.6 Acceptable error rate 

If one only aims to decode noise patterns up to half of the minimal distance d 
(as in much of conventional coding theory), then, given that above quantum 
code uses Ci and that have large minimal distances, it achieves the 
quantum Gilbert- Varshamov bound for CSS codesfTHl EZI- As the length 
of the code, n goes to infinity, the number of encoded qubits goes to [1 — 
2H{2e)]n, where e is the measured bit error rate in the quantum transmission. 
Here, the factor of 2 in front of H arises because one has to deal with both 
phase and bit-fiip errors in a quantum code. In the classical analog, the 
factor of 2 in front of H does not appear. (The factor of 2 inside H ensures 
that the distance between any two codewords is at least twice of the tolerable 
error rate.) 

However, in fact, the same CSS code can decode, with vanishing probabil- 
ity of error, up to twice of the above error rate. That is to say, it can achieve 
the quantum Shannon bound for non- degenerate codes. Asymptotically, the 
number of encoded qubits goes to [1 — 2H{e)]n. The maximal tolerable error 
rate would be about 11%. 

The reason for the improvement is that the code only needs to correct 
the likely errors, rather than all possible errors at such a noise level. We 
remark that this is highly reminiscent of a result in classical coding theory 
which states that Gallager codes, which are based on very low density parity 
check matrices, can achieve the Shannon bound in classical coding theory ^7]. 
In the classical case, the intuition is that in a very high-dimensional binary 
space, while two spheres of radius r whose centers are a distance d apart have 
a non- zero volume of intersection for any r greater than d/2, the fractional 
overlap is vanishingly small provided that r < d. 
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To achieve the Shannon bound in the quantum code case, it is necessary 
to ensure that the errors are randomly distributed among the n qubits. As 
noted by Shor and PreskiU, this can be done by, for example, permuting the 
n qubits randomly. 

Remark 5: In the original Mayers' proof, the maximal tolerable error rate 
is about 7%. As noted by Shor and PreskiU, Mayers' proof has a hidden 
CSS code structure. Mayers considered some (efficiently decodable) classical 
codes, Ci, and a random subcode, C2, of Ci. It turns out that, the dual, 
C2, of a random subcode of Ci is highly likely to be a good code. However, 
Mayers' proof considered the correction of all phase errors, rather than likely 
phase errors within the error rate. For this reason, as the length, n, of 
the codeword goes to infinity, the number of encoded qubits asymptotically 
approaches [1 — H{e) — H{2e)]n, the first H comes from error correction and 
the second comes from privacy amplification. Thus, key generation is possible 
only up to 7%. Shor and PreskiU extended Mayers' proof by noting that it is 
necessary to correct only likely phase errors, but not all phase errors within 
the error rate. They also randomize the errors by adding the permutation 
step mentioned in the above paragraphs. 

3.7 Shor and Preskill's protocol of BB84 

In the last few subsections, we have already discussed the main steps of Shor 
and Preskill's proof. For completeness, we will list here all the steps of Shor 
and Preskill's protocol of BB84 scheme. 

(1) Ahce sends a sequence of say (4 + Si)n, where Si is a small positive 
number, photons each in one of the four polarizations (horizontal, vertical, 
45 degrees and 135 degrees) chosen randomly and independently. 

(2) For each photon. Bob chooses the type of measurement randomly: 
along either the rectilinear or diagonal bases. 

(3) Bob records his measurement bases and the results of the measure- 
ments. 

(4) Subsequently, Bob announces his bases (but not the results) through 
the public unjammable channel that he shares with Alice. 

Remark 6: Notice that it is crucial that Bob announces his basis only 
after his measurement. This ensures that during the transmission of the 
signals through the quantum channel the eavesdropper Eve does not know 
which basis to eavesdrop along. Otherwise, Eve can avoid detection simply 
by measuring along the same basis used by Bob. 
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(5) Alice tells Bob which of his measurements have been done in the 

correct bases. 

(6) Alice and Bob divide up their polarization data into two classes de- 
pending on whether they have used the same basis or not. 

Remark 7: Notice that on average, Bob should have performed the wrong 
type of measurements on half of the photons. Here, by a wrong type of 
measurement we mean that Bob has used a basis different from that of Alice. 
For those photons, he gets random outcomes. Therefore, he throws away 
those polarization data. We emphasize that this immediately implies that 
half of the data are thrown away and the efficiency of BB84 is bounded by 
50%. 

With high probability, at least ~ 2n photons are left. (If not, they abort.) 
Assuming that no eavesdropping has occurred, all the photons that are mea- 
sured by Bob in the correct bases should give the same polarizations as 
prepared by Alice. Besides, Bob can determine those polarizations by his 
own detectors without any communications from Alice. Therefore, those 
polarization data are a candidate for their raw key. However, before they 
proceed any further, it is crucial that they test for tampering. For instance, 
they can use the following simplified method for estimating the error rate. 
(Going through BB84 would give us essentially the same result, namely that 
all accepted data are lumped together to compute a single error rate.) 

(7) Alice and Bob randomly pick a subset of photons from those that 
are measured in the correct bases and publicly compare their polarization 
data for preparation and measurement. For instance, they can use ~ n 
photons for such testing. For those results, they estimate the error rate for 
the transmission. Of course, since the polarization data of photons in this 
subset have been announced, Alice and Bob must sacrifice those data to avoid 
information leakage to Eve. 

We assume that Alice and Bob have some idea on the channel charac- 
teristics. If the average error rate e turns out to be unreasonably large (i.e., 
e > emax where emax is the maximal tolerable error rate) , then either substan- 
tial eavesdropping has occurred or the channel is somehow unusually noisy. 
In both cases, all the data are discarded and Alice and Bob may re-start the 
whole procedure again. Notice that, even then there is no loss in security be- 
cause the compromised key is never used to encipher sensitive data. Indeed, 
Alice and Bob will derive a key from the data only when the security of the 
polarization data is first established. 

On the other hand, if the error rate turns out to be reasonably small (i.e.. 
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e < Cmax), they go to the next step. 

(8) Reconcihation and privacy amphfication: Ahce and Bob can indepen- 
dently convert the polarizations of the remaining n photons into a raw key 
by, for example, regarding a horizontal or 45-degree photon as denoting a '0' 
and a vertical or 135-degree photon a '1'. 

Alice and Bob pick a CSS code based on two classical binary codes, Ci and 
C2, as in Eqs. (fT7|) and (fTH|) . such that both Ci and C^, the dual of C2, correct 
up to t errors where t is chosen such that the following procedure of error 
correction and privacy amplification will succeed with a high probability. 

(8.1) Let V be Alice's string of the remaining n unchecked bits. 
Alice picks a random codeword m G Ci and publicly announces u + v. 

(8.2) Let f + A be Bob's string of the remaining n unchecked bits. (It 
differs from Alice's string due to the presence of errors A.) Bob subtracts 
Alice's announced string u + v from his own string to obtain n + A, which 
is a corrupted version of u. Using the error correcting property of Ci, Bob 
recovers a codeword, m, in Ci. 

(8.3) Alice and Bob use the coset of u + C2 as their key. 

Remark 8: As noted before, there is a minor subtlety [^ni- To tolerate a 
higher channel error rate of up to about 11%, Alice should apply a random 
permutation to the qubits before their transmission to Bob. Bob should then 
apply the inverse permutation before decoding. 

Remark 9: Depending on the desired security level, the number of test 
photons in Step (7) can be made to be much smaller than n. If one takes 
the limit that the probability that Eve can break the system is fixed but 
arbitrary, then the number of test photons can be made to be of order log n 
only. On the other hand, if the probability that Eve can break the system 
is chosen to be exponentially small in n, then it is necessary to test order n 
photons. 

4 Overview of efficient BB84 

In this section, we will give an overview of the efficient BB84 scheme and 
provide a sketch of a simple proof of its security. 
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4.1 bias 



The first major new ingredient of our efficient BB84 scfieme is to put a bias 
in tfie probabilities of dioosing between tfie two bases. 

Recall the fraction of rejected data of BB84 is likely to be at least 50%. 
This is because in BB84 Alice and Bob choose between the two bases ran- 
domly and independently. Consequently, on average Bob performs a wrong 
type of measurement half of the time and, therefore, half of the photons are 
thrown away immediately. The efficiency will be increased if Alice prepares 
and Bob measures their photons with a biased choice of basis. Specifically, 
they first agree on a fixed number < p < 1/2. Alice prepares (Bob mea- 
sures) each photon randomly, independently in the rectilinear and diagonal 
basis with probabilities p and 1 —p respectively. Clearly, the scheme is inse- 
cure when p — 0. Nonetheless, we shall show that in the hmit of large number 
of photon transfer, this biased scheme is secure in the limit of p — > O"*". Hence, 
the efficiency of this biased scheme is asymptotically doubled when compared 
to BB84. 

Notice also that the bias in the probabihties might be produced passively 
by an apparatus, for example, an unbalanced beamsplitter in Bob's side. 

Such a passive implementation based on a beamsplitter eliminates the need 
for fast switching between different polarization bases and is, thus, useful in 
experiments. This may not be obvious to the readers why a beamsplitter can 
create a probabilistic implementation. If one uses a beamsplitter, rather than 
a fast switch, one gets a superposition of states and not a mixture. How- 
ever, provided that the subsequent measurement operators annihilate any 
state transmitting in one of the two paths, the probabilities of the outcomes 
will be the same for either a mixture or a superposition. More concretely, 
suppose one can model the problem by decomposing the Hilbert space into 
two subspaces H — 'Hi®H2 where Hi is the Hilbert subspace corresponding 
to the first path and 7^2 the second respectively. Consider the two sets of 
measurement operators, {-Pjj's and {Qj}'s respectively, where Pi\ip) = for 
all \ip) G 7^2 and Qj\ip) = for all G Tii- Let us write \u) = \ui) + \u2) 
where \ui) G 7ii and \u2) G 7i2- 

Now, the probability of the outcome corresponding to the measurement 
Pi is given by 

\{u\Pi\u)\ ^ \{ui\Pi\ui)\ (23) 
and the probability of the outcome corresponding to the measurement Qj is 
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given by 

\{u\Q,\u)\^\{u,\Q^\u,)\. (24) 

Those probabilities are exactly the same as those given by a mixture of \ui) 
and \u2). 

4.2 Refined Error Analysis 

In the original BB84 scheme, all the accepted data (those for which Alice and 
Bob measure along the same basis) are lumped together to compute a single 
error rate. In this subsection, we introduce the second major ingredient of our 
scheme — a refined error analysis. The idea is for Alice and Bob to divide up 
the accepted data into two subsets according to the actual basis (rectilinear 
or diagonal) used. After that, a random subset of photons is drawn from 
each of the two sets. They then publicly compare their polarization data and 
from there estimate the error rate for each basis separately. They decide that 
the run is acceptable if and only if both error rates are sufficiently small. 

The requirement of having estimated error rates separately in both bases 
to be small is more stringent that the original one. In fact, if a naive data 
analysis, where only a single error rate is computed by Alice and Bob, had 
been employed, our new scheme would have been insecure. To understand 
this point, consider the following example of a so-called biased eavesdropping 
strategy by Eve. 

For each photon. Eve 1) with a probability pi measures its polarization 
along the rectilinear basis and resends the result of her measurement to Bob; 
2) with a probability p2 measures its polarization along the diagonal basis 
and resends the result of her measurement to Bob; and 3) with a probability 
1 — Pi — P2, does nothing. We remark that, by varying the values of pi and 
P2, Eve has a whole class of eavesdropping strategies. Let us call any of the 
strategics in this class a biased eavesdropping attack. 

Consider the error rate ei for the case when both Alice and Bob use 
the rectilinear basis. For the biased eavesdropping strategy under current 
consideration, errors occur only if Eve uses the diagonal basis. This happens 
with a conditional probability p2- In this case, the polarization of the photon 
is randomized, thus giving an error rate ei = P2/2. Similarly, errors for the 
diagonal basis occur only if Eve is measuring along the rectilinear basis. This 
happens with a conditional probability pi and when it happens, the photon 
polarization is randomized. Hence, the error rate for the diagonal basis 
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^2 = Pi/2. Therefore, Alice and Bob will find, for the biased eavesdropping 
attack, that the average error rate 



_ ^ p^ei + (1 -pfe2 ^ p^P2 + (1 - , . 

^~ p-' + ii-py ~ 2[p2 + (i-p)2] • ^ 

Suppose Eve always eavesdrops solely along the diagonal basis (i.e., pi = 
and p2 = 1), then 

^ (26) 



as p tends to 0. Hence, with the original error estimation method in BB84, 
Alice and Bob will fail to detect eavesdropping by Eve. Yet, Eve will have 
much information about Alice and Bob's raw key as she is always eavesdrop- 
ping along the dominant (diagonal) basis. Hence, a naive error analysis fails 
miserably. 

In contrast, the refined error analysis can make our scheme secure against 
such a biased eavesdropping attack. Recall that in a refined error analysis, 
the two error rates are computed separately. The key observation is that these 
two error rates Ci = p^/l and 62 = pi/2 depend only on Eve's eavesdropping 
strategy, but not on the value of e. This is so because they are conditional 
probabilities. Consequently, in the case that Eve is always eavesdropping 
along the dominant (i.e., diagonal) basis, Alice and Bob will find an error 
rate of ei = P2/2 = 1/2 for the rectilinear basis. Since 1/2 is substantially 
larger than Cmax, Alice and Bob will successfully catch Eve. 



4.3 Procedure of efficient QKD 

We now give the complete procedure of an efficient QKD scheme. Its security 
will be discussed in Subsection 14.41 and more details of a proof of its security 
will be given in Section El 

Protocol E: Protocol for efficient QKD 

(1) Alice and Bob pick a number < p < 1/2 whose value is made public. 
Let N be a large integer. Alice sends a sequence of N photons to Bob. For 
each photon Alice chooses between the two bases, rectilinear and diagonal, 
with probabilities p and 1 — p respectively. The value of p is chosen so that 
Nip^ — 5') = mi = Q{logN), where 6' is some small positive number and mi 
is the number of test photons in the rectilinear basis in Step (7). 
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(2) Bob measures the polarization of each received photon independently 
along the rectilinear and diagonal bases with probabilities p and 1 — p re- 
spectively. 

(3) Bob records his measurement bases and the results of the measure- 
ments. 

(4) Bob announces his bases (but not the results) through the public 
unjammable channel that he shares with Alice. 

(5) Alice tells Bob which of his measurements have been done in the 
correct bases. 

(6) Recall that each of Alice and Bob uses one of the two bases — rec- 
tilinear and diagonal. Alice and Bob divide up their polarization data into 
four cases according to the actual bases used. They then throw away the two 
cases when they have used different bases. The remaining two cases are kept 
for further analysis. 

(7) From the subset where they both use the rectilinear basis, Alice and 
Bob randomly pick a fixed number say rrii photons and publicly compare 
their polarizations. (Since N{p^ — 6') = mi, for a large A^, it is highly likely 
that at least mi photons are transmitted and received in the rectilinear basis. 
If not, they abort.) The number of mismatches ri tells them the estimated 
error rate ei = ri/mi. Similarly, from the subset where they both use the 
diagonal basis, Alice and Bob randomly pick a fixed number say m2 photons 
and publicly compare their polarizations. The number of mismatches r2 gives 
the estimated error rate 62 = r2/m2. 

Provided that the test samples mi and m2 are sufficiently large, the es- 
timated error rates ei and 62 should be rather accurate. As will be given in 
Subsection 15.41 mi and m2 should be at least of order ^(logfc), where k is 
the length of the final key. Now they demand that ei, 62 < Cmax — where 
Cmax is a prescribed maximal tolerable error rate and 6e is some small positive 
parameter. If these two independent constraints are satisfied, they proceed 
to step (8). Otherwise, they throw away the polarization data and re-start 
the whole procedure from step (1). 

(8) Reconciliation and privacy amplification: For simplicity, in what fol- 
lows, we will take mi = m2 = A^(p^ — S'). Alice and Bob randomly pick 
n = N[{1 —pY —p^ — 5'] photons from those untested photons that are trans- 
mitted and received in the diagonal basis. Alice and Bob then independently 
convert the polarizations of those n photons into a raw key by, for example, 
regarding a 45-degree photon as denoting a '0' and a 135-degree photon a 
'1'. 
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Remark 10: Note that the raw key is generated by measuring along a 
single basis, namely the diagonal basis. This greatly simplifies the analysis 
without compromising efficiency or security. 

Alice and Bob pick a CSS code based on two classical binary codes, Ci and 
C2, as in Eqs. (fT7|) and (fTHj) . such that both Ci and C^, the dual of C2, correct 
up to t errors where t is chosen such that the following procedure of error 
correction and privacy amplification will succeed with a high probability. 

(8.1) Let V be Alice's string of the remaining n unchecked bits. 
Alice picks a random codeword m G Ci and publicly announces u + v. 

(8.2) Let f + A be Bob's string of the remaining n unchecked bits. (It 
differs from Alice's string due to the presence of errors A.) Bob subtracts 
Alice's announced string u + v from his own string to obtain m + A, which 
is a corrupted version of u. Using the error correcting property of Ci, Bob 
recovers a codeword, m, in Ci. 

(8.3) Alice and Bob use the coset oi u + C2 as their key. 

Remark 11: As noted before, there is a minor subtlety [S3]. To tolerate a 
higher channel error rate of up to about 11%, Alice should apply a random 
permutation to the qubits before their transmission to Bob. Bob should then 
apply the inverse permutation before decoding. 

4.4 Outline proof of Security of efficient QKD scheme 

In this subsection, we will give the general strategy of proving the uncondi- 
tional security of efficient QKD scheme and discuss some subtleties. Some 
loose ends will be tightened in Sectional 

First of all, we would like to derive the relationship between the error rates 
in the two bases {X and Z) in biased BB84 and the bit-fiip and phase error 
rates in the underlying entanglement purification protocol (EPP). Actually, 
this depends on how the key is generated. If the key is generated only from 
polarization data in say the Z-basis, then clearly, the bit-fiip error rate is 
simply the Z-basis bit error rate and the phase error rate is simply the X- 
basis bit error rate. On the other hand, if the key is generated only from 
polarization data in say the X-basis, then the bit-fiip error rate is simply the 
X-basis bit error rate and the phase error rate is simply the Z-basis bit error 
rate. 

More generally, if a key is generated by making a fraction, g, of the 
measurements along the Z-basis and a fraction, 1 — g, along the X-basis, 
then the bit-fiip and phase error rates are given by weighted averages of the 
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bit error rates of the two bases: 



^phase ^ + (27) 

where ei and 62 are the bit error rates of the Z and the X bases respectively. 

Now, in a refined data analysis, Alice and Bob separate data from the two 
bases into two sets and compute the error rates in the two sets individually. 
This gives them individual estimates on the bit error rates, ei and 62, of the 
Z and X bases respectively. They demand that both error rates must be 
sufficiently small, say, 

< 61,62 < Cmax - Se- (28) 

From Eqs. ()27|) . we see that, provided that the bit error rates of the X 
and Z bases are sufficiently small (such that Eqs. are satisfied), we have 

0<e^'-^^'P,6P''''"' <11%, (29) 

which says that both bit-flip and phase-flip signal error rates of the under- 
lying EPP are small enough to allow CSS code to correct. Therefore, Shor 
and Preskill's argument carries over directly to establish the security of our 
efficient QKD scheme, if Alice and Bob apply a refined data analysis. This 
completes our sketch of the proof of security. 

We remark that the error correction and privacy amplification procedure 
that we use are exactly the same as in Shor-Preskill's proof. The point is 
the following: Once the error rate for both the bit-fiip and phase errors are 
shown to be correctable by a quantum (CSS) code, the procedure for error 
correction and privacy amplification in their proof can be carried over directly 
to our new scheme. 

4.5 practical issues 

Several complications deserve attention. First, Alice and Bob only have 
estimators of ei and 62, the bit error rates of the two bases, from their 
random sample. They need to establish confidence levels on the actual bit 
error rates of the population (or more precisely, those of the untested signals) 
from those estimators. Second, Alice and Bob are interested in the bit-fiip 
and phase error rates of the EPP, rather than the bit error rates of the two- 
bases. Some conversion of the confidence levels has to be done. Given that 
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the two bases are weighted differently, such a conversion looks non-trivial. 
Third, Alice and Bob have to deal with finite sample and population sizes 
whereas many statistics textbooks takes the limit of infinite population size. 
Indeed, it is commonplace in statistics textbooks to take the limit of infinite 
population size and, therefore, assume a normal distribution. Furthermore, in 
practice, Alice and Bob are interested in bounds, not approximations (which 
might over-estimate or under-estimate) which many statistics textbooks are 
contented with. 

Another issue: it is useful to specify the constraints on the bias param- 
eter, q, and the size of the test samples, mi and 1712. Indeed, in order to 
demonstrate the security of an efficient scheme for QKD, it is important to 
show that the size of the test sample can be a very small fraction of the total 
number of transmitted photons. 

We shall present some basic constraints here. As will be shown in Sec- 
tional these basic constraints turn out to the most important ones. We see 
from Remark 2 that, if one limits the eavesdropper's information, I^ve, to 
less than a small fixed amount, then, as the length, k, of the key increases, 
the allowed infidelity in Theorem 2, 5, of the state must decrease at least as 
0(1/ k). Suppose mi and m2 signals are tested for the two different bases re- 
spectively, it is quite clear that S is at least e*^*-'"'-'. This leads to a constraint 
that rrii is at least Q{\ogk)}^ Suppose photons are transmitted and Alice 
sends photons along the rectilinear and diagonal bases with probabilities, p 
and 1 — p respectively. Then, the average number of particles available for 
testing along the rectilinear basis is only Np'^. Imposing that rrii is no more 
than order Np"^, we obtain Np"^ = Q{\ogk). 

5 Details of Proof of security of efficient QKD 

We will now tighten some of the loose ends in the proof of unconditional 
security of our efficient QKD protocol. Protocol E. 

^°Notice that this constraint is weaker than the usual constraint of rrii = ^{N) im- 
posed by various other proofs [1^ I1U| . In the next section, we will see that it is, indeed, 
unnecessary to impose rrii = ^{N). 
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5.1 Using only one basis to generate the raw key 

Recall that, in a refined data analysis, Alice and Bob separate data from 
the two bases into two sets and compute the error rates in the two sets 
individually. This gives them individual estimates on the bit error rates, ei 
and 62, of the Z and X bases respectively. Alice and Bob demand that both 
error rates must be sufficiently small, say, 

< 61,62 < e^a^ - 4, (30) 

where 5e is some small positive parameter. From the work of Shor-Preskill, 

Craax IS about 11%. 

We would like to derive the relationship between the error rates in the two 
bases (X and Z) in biased BB84 and the bit-flip and phase error rates in the 
underlying entanglement purification protocol (EPP). Actually, this depends 
on how the key is generated. In our protocol E, the raw key is generated only 
from polarization data in the X-basis (diagonal basis), the bit-flip error rate 
is simply the X-basis bit error rate and the phase error rate is simply the 
Z-basis (rectilinear basis) bit error rate. Therefore, no non-trivial conversion 
between the error rates of the two bases and the bit-flip and phase error 
rates needs to be performed. This greatly simplifies our analysis without 
compromising the efficiency nor security of the scheme. 

Therefore, we have: 

n < p/iase bit- flip ^ _ s. /oi \ 

u ^ ^sample-: '-'sample ^ ^max "ej \'^^) 

where 5e is some small positive parameter and tmax is about 11%. 

5.2 Using classical random sampling theory to estab- 
lish confidence levels 

A main point of Shor-Preskill's proof is that the bit-flip and phase error rates 
of the random sample provide good estimates of the population bit-flip and 
phase error rates. Indeed, our refined data analysis, as presented in jl^l and 
earlier version of the current paper, has been employed by Gottesman and 
Preskill [28j in their recapitulation of Shor and Preskill's proof. Gottesman 
and Preskill assumed that Alice and Bob generate the key by always measur- 
ing along the Z-axis. We remark that the problem of establishing confidence 
levels of the population from the data provided by a random sample is strictly 
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a problem in classical random sampling theory because the relevant operators 
all commute with each other. See subsection 13.31 for details. 

It should be apparent that Gottesman-Preskill's reformulation of Shor- 
Preskill's proof and its accompanying analysis of classical statistics carry over 
to our efficient QKD scheme, provided that we employ the prescribed refined 
data analysis. 

Let us now give more details of the argument that the sample (bit-flip 
and phase) error rates provide good estimates of the population (bit-flip and 
phase) error rates. It is simpler to take the limit of N goes to inflnity. In 
this case, the classical de Finetti's representation theorem applies [1^]. The 
de Finetti's theorem states that the number, ri, of phase errors in the test 
sample of mi photons is given by: 

p(ri,mi) = (^^^ j\^^{l-zr^-^^Pl{z)dz (32) 

for some 'probability of probabilities' (i.e., a non- negative function, P^^). 
Physically, it means that one can imagine that each photon is generated 
by some unknown independent, identical distribution that is chosen with a 
probability, Pl^{z). 

Similarly, for the bit-flip errors, its number, r2, in the test sample of m2 
photons is given by: 

p(r2,m2) = {^^''^ j\'^{l-zr^-^^Pl{z)dz (33) 

for some 'probability of probabilities', P^{z)dz. 

We are interested in the case of a flnite population size, N. Fortunately, 
a similar expression still exists [HTl 1^ and it can be written in terms of 
hypergeometric functions: 

N—m2+r2 

p{r2,m2)= [C{m2,r2)C{N -m2,n-r2)/C{N,n)]P{n,N) (34) 

n=r2 

where C{a, b) is the number of ways of choosing b objects from a objects and 
P{n,M) is the 'probability of probabilities'. 

An upper bound, which will be sufficient for our purposes, can be found 
in the following Lemma. 

Lemma 1. Suppose one is given a population of ntotai balls out of which 
P'^totai of them are white and the rest are black. One then picks ntest balls 



33 



randomly and uniformly from this population without replacement. Then, 
the probability of getting at most [AntestJ white balls, Pr„j-{X < [Xritcstl), 
satisfies the inequality 

Pr^r{X < [AritcstJ) < 2-"'-*^^(^'P)-"'-*/[("'°'^'-"*-')^°2l^ (35) 

provided that ntest > 1 and < X < p, where 

A{X,p) = -H{X) - X \og,p - (1 - A) log2(l - p) (36) 

with H{X) = — Alog2A — (1 — A)log2(l — A) being the well-known binary 
entropy function. 

Furthermore, A{X,p) > whenever < A < p < 1 and the equality holds 
if and only if A = p. 

Proof. We denote the probability of getting exactly j white balls by 
Pr^,{X = j). Clearly, 

Pr^r{X = j) 

I ntest 



\ 3 



(P^total - j + 1 ) j ( [1 - P] '^total - ?^tcst + j + 1 ) 



('^total — '^test + l) r 



(37) 



where {x)j = x{x + l){x + 2) ■ ■ ■ {x + j — 1). Eq. is called the hyperge- 
ometric distribution whose properties have been studied in great detail. In 
particular, 

Srodka showed that 



PrUX = j) < 



< 



\ J / V ntotal/ 

1 



1 + 



S'^test + Sr^tcst - 1 



12n 



total 



y j V ntotai/ 



(38) 



whenever ntest > 1- 
Consequently, 



Pr^r{X < [AntestJ) 



(39) 
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< 




"tost -J 



(40) 



< 



\ '^total / 

2-"tcst{-H(A)-Alog2 p-(l-A) log2{l-p)-ntcst/[(ntotal-"tost)ln 2]} 




2ntcst [H{X)+X log2 p+{l- A) log2 (l-p)] 



(41) 



< 



(42) 



whenever < A < p. Note that we have used the inequahty in [52] to obtain 
Eq. dH} and the inequahty < ln(l - x) < -x < to obtain Eq. (fl^ 

respectively. Hence, Eq. fl^ holds. 

Finally we want to show that A{X,p) > whenever < A < p < 1; and 
the equality holds if and only if A = p. This fact follows directly from the 
observations that A{X, A) = 0, dA/dp > whenever < A < p < 1 and the 
equality holds if and only if A = p. Q.E.D. 

Note that Lemma 1 gives a precise bound, not just an approximation. The 
upshot of Lemma 1 is that the probability that the sample mean deviates 
from the population mean by any arbitrary but fixed non-zero amount can 
be shown to be exponentially small in utest, as discussed in subsection 14.51 In 
effect. Lemma 1 gives the conditional probability, ei, that the signal quality 
check stage is passed, given that more than t = [{d — 1)/2J out of the n pairs 
of shared entangled particles between Alice and Bob are in error. We will 
choose Utest = f^i = in our Protocol E. 

5.3 Bounding fidelity 

Given any eavesdropping strategy that will pass the verification test with 
a probability, 62, it is important to obtain a bound on the fidelity of the 
recovered state as k EPR pairs, after quantum error correction and quantum 
privacy amplification. We have the following Theorem. 

Theorem 3. (Adapted from [44J) Suppose Alice and Bob perform 
a stabilizer-based EPP-based QKD and, for the verification test, randomly 
sample along at least two of the three bases, X and Y and Z and compute 
their error rates. Suppose further that the CSS code used in the signal 
privacy amplification stage acts on n imperfect pairs of qubits to distill out 
k pairs of qubits. Given any fixed but arbitrary eavesdropping strategy by 
Eve, define the following probabilities: 



p = P(EPP succeeds). 



(43) 
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£1 = P(verification passed |EPP fails), (44) 

and 

El = P(verification failed |EPP succeeds), (45) 

(In statistics language, ei and ei are the type I and II errors respectively.) 
Then, for any Eve's cheating strategy whose probability of passing the verifi- 
cation test is greater than e2, the fidelity of the remaining untested shared en- 
tangled state immediately after the quantum privacy amplification is greater 
than 1 — ei/e2- 

Proof. From Theorem 1 and Proposition 1, one can, indeed, apply clas- 
sical arguments to the problem by assigning classical probabilities to the 
A^-Bell-basis states. Given any fixed but arbitrary eavesdropping strategy, 
the fidelity of the remaining untested entangled state is given by: 



F > 



> 1 



P(verification passed and EPP succeeds) 
P (verification passed) 

P(EPP succeeds) P (verification passed |EPP succeeds) 
P(EPP succeeds)P(verification passed |EPP succeeds) + P(EPP fails) P(verification passe 

P(EPP succeeds) P (verification passed |EPP succeeds) 
P(EPP succeeds)P(verification passed |EPP succeeds) + P(EPP fails) P(verification passe 

P(l - ^i) 
p{l - ei) + {1 - p)ei 



p{l - El) + {I - p)ei 



Now, for any Eve's cheating strategy whose probability of passing the 
verification test is greater than £2, we have p{l — Ei) + (1 — p)ei > 62 and, 
hence, from Eq. ()46|) . 

P > 1 - - . (47) 

^2 

This completes the proof of Theorem 3. Q.E.D. 



5.4 Summary of the proof 

We will now put all the pieces together and show that a rigorous proof of 
security is possible with the number of test particles, mi = m2 = ritest-i 
scaling logarithmically with the length k of the final key. Consequently, the 
bias in an efficient BB84 scheme can be chosen such that N{p'^ — 5') = Utest 
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for a small S. In other words, p = O {log k) / N) , which goes to zero as 
goes to infinity. 

Given a signal quality check that involves only ritest photons, from 
Lemma 1, we see that the conditional probability, ei, that the signal qual- 
ity check stage is passed, given that more than t = [{d — 1)/2J out of the 
n pairs of shared entangled particles between Alice and Bob are in error is 
exponentially small in ritest- i-e., 

ei = 0(2""*-*"), (48) 

for some positive constant a. 

Let Alice and Bob pick a security parameter, 

62 = 2-", (49) 

and consider only eavesdropping strategies that will pass the signal quality 
check with a probability at least 62- We require that 

e = — < L (50) 

62 

Recall from Theorem 3 that for any eavesdropping strategy that will pass 
the signal quality check test with a probability at least 82, has its fidelity 
bounded hj 1 — e. i.e., 

F>l-£. (51) 

Now, from Theorem 2, the eavesdropper's mutual information with the 
final key is bounded by 

jBound ^ ^(2fc + \og,{l/e) + ^). (52) 

Consider a fixed but arbitrary value of 7^^°""'^, the constraint on the eaves- 
dropper's mutual information on the final key: i.e., 

hve =2 , (53) 

where s is a positive security parameter. In the large k limit, Eq. (j^^ implies 
that 

e = 0{2~'/k). (54) 
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Substituting Eq. into Eq. (jSH), we see that 



^^0(1). (55) 



Substituting Eqs. (gHl) and ^ into Eq. we find that 

J^2-"'te3tOl 



2-(m+s) 



0(1). (56) 



Now, for fixed but arbitrary values of the security parameters, s and u, 
we see that, in fact, the number of test photons, ritest, is required to scale 
only as 0(log k), i.e., the logarithm of the final key length. Consequently, the 
only constraint on the bias p is that there are enough photons for performing 
the verification test. This gives rise to the requirement that iV(]9^ — 6') = 
ntest = 0(\ogk), i.e.. 



p = Oi^ (log k)/N). (57) 

This completes our proof of security of Protocol E, an efficient QKD 
scheme. We remark that the error correction and privacy amplification pro- 
cedure in Protocol E are exactly the same as in Shor-Preskill's proof. 

As a side remark, if one insists that the eavesdropper's information is 
exponentially small in A^, then one can take s = cN, for some positive 
constant, c. From Eq. this will require ntest to be proportional to A^. A 
number of earlier papers make such an assumption. However, in this paper, 
we note that this requirement can be relaxed. For instance, it is consistent 
to pick s = cN°' where < a' < 1. In this more general case, we have from 
Eq. that asymptotically aritest ~ cN'^ . Consequently, 

aNp^ > aritest ~ cA^"' 

/ = )• (58) 

a 

From Eq. (j58j) . it is clear that for all values of a' G [0,1], the probability 
p can be chosen to be arbitrarily small, but non-zero. This completes our 
analysis for the security of an efficient QKD scheme where each of Alice and 
Bob picks the two polarization bases with probabilities p and 1 — p. 
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6 Concluding Remarks 



In this paper, we presented a new quantum key distribution scheme and 
proved its unconditional security against the most general attacks allowed 
by quantum mechanics. 

In BB84, each of Alice and Bob chooses between the two bases (rectilin- 
ear and diagonal) with equal probability. Consequently, Bob's measurement 
basis differs from that of Alice's half of the time. For this reason, half of the 
polarization data are useless and are thus thrown away immediately. We have 
presented a simple modification that can essentially double the efficiency of 
BB84. There are two important ingredients in this modification. The first 
ingredient is for each of Alice and Bob to assign significantly different prob- 
abilities (say e and 1 — e respectively where e is small but non-zero) to the 
two polarization bases (rectilinear and diagonal respectively) . Consequently, 
they are much more likely to use the same basis. This decisively enhances 
efficiency. 

However, an eavesdropper may try to break such a scheme by eavesdrop- 
ping mainly along the predominant basis. To make the scheme secure against 
such a biased eavesdropping attack, it is crucial to have the second ingredient 
— a refined error analysis — in place. The idea is the following. Instead 
of lumping all the accepted polarization data into one set and computing a 
single error rate (as in BB84), we divide up the data into various subsets 
according to the actual polarization bases used by Alice and Bob. In partic- 
ular, the two error rates for the cases 1) when both Ahce and Bob use the 
rectilinear basis and 2) when both Alice and Bob use the diagonal basis, are 
computed separately. It is only when both error rates are small that they 
accept the security of the transmission. 

We then prove the security of efficient QKD scheme, not only against the 
specific attack mentioned above, but also against the most general attacks 
allowed by the laws of quantum mechanics. In other words, our new scheme 
is unconditionally secure. Moreover, just like the standard BB84 scheme, our 
protocol can be implemented without a quantum computer. The maximal 
tolerable bit error rate is 11%, the same as in Shor and Preskill's proof. If we 
allow Eve to get a fixed but arbitrarily small amount of information on the 
final key, then the number of test particles, rijest, is required only to scale log- 
arithmically with the length k of the final key. Consequently, the bias in an 
efficient BB84 scheme can be chosen such that N{p'^ — 5') = Utest for a small 
S and where N is the total number of photons transmitted. In other words. 
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p = O {y (log k) / N) , which goes to zero as goes to infinity. More gener- 
ally, suppose we pick the security parameter to be s (for an eavesdropper's 
information Ig^e < 2"'') such that s = cN"- where < a' < 1. We find that 
this can be achieved by testing rttest random photons where arifest ~ cA^" . 
Furthermore, each of Alice and Bob may pick the two polarization bases with 
probabilities p and 1—p such that p"^ = Therefore, p can, indeed, 

be made arbitrarily small but non-zero. 

This is the first time that a single-particle quantum key distribution 
scheme has been proven to be secure without relying on a symmetry ar- 
gument — that the two bases are chosen randomly and uniformly. Our proof 
is a generalization of Shor and Preskill's proof ISHl of security of BB84, a 
proof that in turn built on earlier proofs by Lo and Chau [33] and also by 
Mayers gH]. 

We remark that our idea of efficient schemes of quantum key distribution 
applies also to other schemes such as Biham, Huttner and Mor's scheme |^ 
which is based on quantum memories. Our idea also applies the six-state 
scheme which has been shown rigorously to tolerate a higher error rate 
of up to 12.7% 40^. 

As a side remark, Alice and Bob may use different biases in their choices 
of probabilities. In other words, our idea still works if Alice chooses between 
the two bases with probabilities e and 1—e and Bob chooses with probabilities 
e' and 1 — e' where e ^ e'. 
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Notes Added: An entanglement-based scheme with an efficiency greater than 
50% has also been discussed in a recent preprint by two of us (H.-K. Lo and 
H.F. Chau) ^|. Recent proofs of the unconditional security of various QKD 
schemes have been provided by H. Inamori [HIlEl], H. Aschauer and H. J. 
Briegel and by D. Gottesman and J. Preskill |2H]- Recently, it has been 
shown j2n] by D. Gottesman and one of us (H.-K. Lo) that two-way classical 
communications can be used to increase substantially the maximal tolerable 
bit error rate in BB84 and the six-state scheme. The result presented in the 
current paper can be combined with [22] to obtain, for example, an efficient 
BB84 scheme that can tolerate a substantially higher bit error rate (say, 
18.9 percent) than in Shor-Preskill's proof. It has been shown in a recent 
preprint |^ that even imperfect devices can provide perfect security in QKD 
within the entanglement purification approach employed in the present paper. 
Finally, a proof of the unconditional security of another well-known QKD 
scheme, B92 scheme published by Bennett in 1992 Pj, has recently been 
presented 
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